com.tencent.kona.sun.security.pkcs

Class PKCS7

java.lang.Object

com.tencent.kona.sun.security.pkcs.PKCS7

public class PKCS7
extends java.lang.Object

PKCS7 as defined in RSA Laboratories PKCS7 Technical Note. Profile Supports only SignedData ContentInfo type, where to the type of data signed is plain Data. For signedData, crls, attributes and PKCS#6 Extended Certificates are not supported.

Constructor Summary

Constructors

Constructor and Description
PKCS7(com.tencent.kona.sun.security.x509.AlgorithmId[] digestAlgorithmIds, ContentInfo contentInfo, java.security.cert.X509Certificate[] certificates, SignerInfo[] signerInfos)
PKCS7(com.tencent.kona.sun.security.x509.AlgorithmId[] digestAlgorithmIds, ContentInfo contentInfo, java.security.cert.X509Certificate[] certificates, java.security.cert.X509CRL[] crls, SignerInfo[] signerInfos) Construct an initialized PKCS7 block.
PKCS7(byte[] bytes) Unmarshals a PKCS7 block from its encoded form, parsing the encoded bytes.
PKCS7(com.tencent.kona.sun.security.util.DerInputStream derin) Unmarshals a PKCS7 block from its encoded form, parsing the encoded bytes from the DerInputStream.
PKCS7(java.io.InputStream in) Unmarshals a PKCS7 block from its encoded form, parsing the encoded bytes from the InputStream.

Method Summary

Modifier and Type	Method and Description
void	encodeSignedData(com.tencent.kona.sun.security.util.DerOutputStream out) Encodes the signed data to a DerOutputStream.
static byte[]	generateNewSignedData(java.lang.String sigalg, java.security.Provider sigProvider, java.security.PrivateKey privateKey, java.security.cert.X509Certificate[] signerChain, byte[] content, boolean internalsf, boolean directsign, java.util.function.Function<byte[],PKCS9Attributes> ts) Generate a PKCS7 data block.
static byte[]	generateSignedData(byte[] signature, java.security.cert.X509Certificate[] signerChain, byte[] content, java.lang.String signatureAlgorithm, java.net.URI tsaURI, java.lang.String tSAPolicyID, java.lang.String tSADigestAlg) Assembles a PKCS #7 signed data message that optionally includes a signature timestamp.
static byte[]	generateTimestampToken(Timestamper tsa, java.lang.String tSAPolicyID, java.lang.String tSADigestAlg, byte[] toBeTimestamped) Requests, processes and validates a timestamp token from a TSA using common defaults.
java.security.cert.X509Certificate	getCertificate(java.math.BigInteger serial, X500Name issuerName) Returns the X.509 certificate listed in this PKCS7 block which has a matching serial number and Issuer name, or null if one is not found.
java.security.cert.X509Certificate[]	getCertificates() Returns the X.509 certificates listed in this PKCS7 block.
ContentInfo	getContentInfo() Returns the content information specified in this PKCS7 block.
java.security.cert.X509CRL[]	getCRLs() Returns the X.509 crls listed in this PKCS7 block.
com.tencent.kona.sun.security.x509.AlgorithmId[]	getDigestAlgorithmIds() Returns the message digest algorithms specified in this PKCS7 block.
SignerInfo[]	getSignerInfos() Returns the signer's information specified in this PKCS7 block.
static java.net.URI	getTimestampingURI(java.security.cert.X509Certificate tsaCertificate) Examine the certificate for a Subject Information Access extension (RFC 5280).
java.math.BigInteger	getVersion() Returns the version number of this PKCS7 block.
boolean	isOldStyle() Returns true if this is a JDK1.1.x-style PKCS#7 block, and false otherwise.
java.lang.String	toString() Returns the PKCS7 block in a printable string form.
SignerInfo[]	verify() Returns all signerInfos which self-verify.
SignerInfo[]	verify(byte[] bytes) Returns all signerInfos which self-verify.
SignerInfo	verify(SignerInfo info, byte[] bytes) This verifies a given SignerInfo.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

PKCS7

public PKCS7(java.io.InputStream in)
      throws java.io.IOException

Unmarshals a PKCS7 block from its encoded form, parsing the encoded bytes from the InputStream.

Parameters:

in - an input stream holding at least one PKCS7 block.

Throws:

ParsingException - on parsing errors.

java.io.IOException - on other errors.

PKCS7

public PKCS7(com.tencent.kona.sun.security.util.DerInputStream derin)
      throws ParsingException

Unmarshals a PKCS7 block from its encoded form, parsing the encoded bytes from the DerInputStream.

Parameters:

derin - a DerInputStream holding at least one PKCS7 block.

Throws:

ParsingException - on parsing errors.

PKCS7

public PKCS7(byte[] bytes)
      throws ParsingException

Unmarshals a PKCS7 block from its encoded form, parsing the encoded bytes.

Parameters:

bytes - the encoded bytes.

Throws:

ParsingException - on parsing errors.

PKCS7

public PKCS7(com.tencent.kona.sun.security.x509.AlgorithmId[] digestAlgorithmIds,
             ContentInfo contentInfo,
             java.security.cert.X509Certificate[] certificates,
             java.security.cert.X509CRL[] crls,
             SignerInfo[] signerInfos)

Construct an initialized PKCS7 block.

Parameters:

digestAlgorithmIds - the message digest algorithm identifiers.

contentInfo - the content information.

certificates - an array of X.509 certificates.

crls - an array of CRLs

signerInfos - an array of signer information.

PKCS7

public PKCS7(com.tencent.kona.sun.security.x509.AlgorithmId[] digestAlgorithmIds,
             ContentInfo contentInfo,
             java.security.cert.X509Certificate[] certificates,
             SignerInfo[] signerInfos)

Method Detail

encodeSignedData

public void encodeSignedData(com.tencent.kona.sun.security.util.DerOutputStream out)
                      throws java.io.IOException

Encodes the signed data to a DerOutputStream.

Parameters:

out - the DerOutputStream to write the encoded data to.

Throws:

java.io.IOException - on encoding errors.

verify

public SignerInfo verify(SignerInfo info,
                         byte[] bytes)
                  throws java.security.NoSuchAlgorithmException,
                         java.security.SignatureException

This verifies a given SignerInfo.

Parameters:

info - the signer information.

bytes - the DER encoded content information.

Throws:

java.security.NoSuchAlgorithmException - on unrecognized algorithms.

java.security.SignatureException - on signature handling errors.

verify

public SignerInfo[] verify(byte[] bytes)
                    throws java.security.NoSuchAlgorithmException,
                           java.security.SignatureException

Returns all signerInfos which self-verify.

Parameters:

bytes - the DER encoded content information.

Throws:

java.security.NoSuchAlgorithmException - on unrecognized algorithms.

java.security.SignatureException - on signature handling errors.

verify

public SignerInfo[] verify()
                    throws java.security.NoSuchAlgorithmException,
                           java.security.SignatureException

Returns all signerInfos which self-verify.

Throws:

java.security.NoSuchAlgorithmException - on unrecognized algorithms.

java.security.SignatureException - on signature handling errors.

getVersion

public java.math.BigInteger getVersion()

Returns the version number of this PKCS7 block.

Returns:

the version or null if version is not specified for the content type.

getDigestAlgorithmIds

public com.tencent.kona.sun.security.x509.AlgorithmId[] getDigestAlgorithmIds()

Returns the message digest algorithms specified in this PKCS7 block.

Returns:

the array of Digest Algorithms or null if none are specified for the content type.

getContentInfo

public ContentInfo getContentInfo()

Returns the content information specified in this PKCS7 block.

getCertificates

public java.security.cert.X509Certificate[] getCertificates()

Returns the X.509 certificates listed in this PKCS7 block.

Returns:

a clone of the array of X.509 certificates or null if none are specified for the content type.

getCRLs

public java.security.cert.X509CRL[] getCRLs()

Returns the X.509 crls listed in this PKCS7 block.

Returns:

a clone of the array of X.509 crls or null if none are specified for the content type.

getSignerInfos

public SignerInfo[] getSignerInfos()

Returns the signer's information specified in this PKCS7 block.

Returns:

the array of Signer Infos or null if none are specified for the content type.

getCertificate

public java.security.cert.X509Certificate getCertificate(java.math.BigInteger serial,
                                                         X500Name issuerName)

Returns the X.509 certificate listed in this PKCS7 block which has a matching serial number and Issuer name, or null if one is not found.

Parameters:

serial - the serial number of the certificate to retrieve.

issuerName - the Distinguished Name of the Issuer.

toString

public java.lang.String toString()

Returns the PKCS7 block in a printable string form.

Overrides:

toString in class java.lang.Object

isOldStyle

public boolean isOldStyle()

Returns true if this is a JDK1.1.x-style PKCS#7 block, and false otherwise.

generateNewSignedData

public static byte[] generateNewSignedData(java.lang.String sigalg,
                                           java.security.Provider sigProvider,
                                           java.security.PrivateKey privateKey,
                                           java.security.cert.X509Certificate[] signerChain,
                                           byte[] content,
                                           boolean internalsf,
                                           boolean directsign,
                                           java.util.function.Function<byte[],PKCS9Attributes> ts)
                                    throws java.security.SignatureException,
                                           java.security.InvalidKeyException,
                                           java.io.IOException,
                                           java.security.NoSuchAlgorithmException

Generate a PKCS7 data block.

Parameters:

sigalg - signature algorithm to be used

sigProvider - (optional) provider

privateKey - signer's private ky

signerChain - signer's certificate chain

content - the content to sign

internalsf - whether the content should be included in output

directsign - if the content is signed directly or through authattrs

ts - (optional) timestamper

Returns:

the pkcs7 output in an array

Throws:

java.security.SignatureException - if signing failed

java.security.InvalidKeyException - if key cannot be used

java.io.IOException - should not happen here, all byte array

java.security.NoSuchAlgorithmException - if siglag is bad

generateSignedData

public static byte[] generateSignedData(byte[] signature,
                                        java.security.cert.X509Certificate[] signerChain,
                                        byte[] content,
                                        java.lang.String signatureAlgorithm,
                                        java.net.URI tsaURI,
                                        java.lang.String tSAPolicyID,
                                        java.lang.String tSADigestAlg)
                                 throws java.security.cert.CertificateException,
                                        java.io.IOException,
                                        java.security.NoSuchAlgorithmException

Assembles a PKCS #7 signed data message that optionally includes a signature timestamp.

Parameters:

signature - the signature bytes

signerChain - the signer's X.509 certificate chain

content - the content that is signed; specify null to not include it in the PKCS7 data

signatureAlgorithm - the name of the signature algorithm

tsaURI - the URI of the Timestamping Authority; or null if no timestamp is requested

tSAPolicyID - the TSAPolicyID of the Timestamping Authority as a numerical object identifier; or null if we leave the TSA server to choose one. This argument is only used when tsaURI is provided

Returns:

the bytes of the encoded PKCS #7 signed data message

Throws:

java.security.NoSuchAlgorithmException - The exception is thrown if the signature algorithm is unrecognised.

java.security.cert.CertificateException - The exception is thrown if an error occurs while processing the signer's certificate or the TSA's certificate.

java.io.IOException - The exception is thrown if an error occurs while generating the signature timestamp or while generating the signed data message.

getTimestampingURI

public static java.net.URI getTimestampingURI(java.security.cert.X509Certificate tsaCertificate)

Examine the certificate for a Subject Information Access extension (RFC 5280). The extension's accessMethod field should contain the object identifier defined for timestamping: 1.3.6.1.5.5.7.48.3 and its accessLocation field should contain an HTTP or HTTPS URL.

Parameters:

tsaCertificate - (optional) X.509 certificate for the TSA.

Returns:

An HTTP or HTTPS URI or null if none was found.

generateTimestampToken

public static byte[] generateTimestampToken(Timestamper tsa,
                                            java.lang.String tSAPolicyID,
                                            java.lang.String tSADigestAlg,
                                            byte[] toBeTimestamped)
                                     throws java.io.IOException,
                                            java.security.cert.CertificateException

Requests, processes and validates a timestamp token from a TSA using common defaults. Uses the following defaults in the timestamp request: SHA-1 for the hash algorithm, a 64-bit nonce, and request certificate set to true.

Parameters:

tsa - the timestamping authority to use

tSAPolicyID - the TSAPolicyID of the Timestamping Authority as a numerical object identifier; or null if we leave the TSA server to choose one

toBeTimestamped - the token that is to be timestamped

Returns:

the encoded timestamp token

Throws:

java.io.IOException - The exception is thrown if an error occurs while communicating with the TSA, or a non-null TSAPolicyID is specified in the request but it does not match the one in the reply

java.security.cert.CertificateException - The exception is thrown if the TSA's certificate is not permitted for timestamping.